Apparatus and method for sponsored connectivity to wireless networks using application-specific network access credentials

ABSTRACT

At least one feature pertains to a method operational at a user device that includes receiving, from an application service provider, an application-specific certificate associated with at least one application service provided by the application service provider. The method also includes determining that a wireless communication network provides application-specific access to the application service provided by the application service provider, and transmitting a registration request including the application-specific certificate to the wireless communication network for authentication of the user device. The application-specific certificate includes a user device public key. The method further includes performing authentication and key agreement with the wireless communication network, and communicating with the application service after authentication and key agreement is successfully performed. In one aspect, authentication and key agreement with the network is performed directly between the user device and the network and independent to the application service provider.

CLAIM OF PRIORITY

The present application for patent claims priority to provisional application No. 62/134,206 entitled “Apparatus and Method for Sponsored Connectivity to Wireless Networks Using Application-Specific Network Access Credentials” filed Mar. 17, 2015, the entire disclosure of which is hereby expressly incorporated by reference.

BACKGROUND

1. Field

The present invention relates generally to establishing a data connection between a user equipment and a wireless network.

2. Background

Generally, access to a wireless cellular system by a user device is based on a pre-arranged subscriber format. Access is typically not afforded to user devices who are not subscribers of the wireless cellular system or do not have the benefit of an existing relationship with the wireless cellular system.

However, an application service provider may want a user device to have access to its servers and services through the wireless cellular system notwithstanding the absence of a subscription for the wireless cellular system by the user device. The application service provider may be willing to compensate the wireless cellular system on behalf of the user device for this access. Such “sponsored connectivity” may allow the user device to utilize the wireless cellular network on a limited basis in order to connect to servers of the application service provider for a specific application, and the application service provider is charged for the access.

Existing solutions for sponsored connectivity include access point name (APN) based forwarding where a bearer is set up based on an APN configured in a subscriber identity module (SIM) provisioned by a sponsor, generic bootstrapping architecture only available to current subscribers equipped with SIM capability, and application based forwarding where traffic is filtered based on internet protocol (IP) addresses.

However, problems exist with the aforementioned existing solutions. For example, the user device may not be equipped with the operator's (e.g., wireless cellular system) credentials. For instance, the user device may lack a SIM or may not have a cellular subscription. In the case where IP address based filtering is used, sponsored connectivity may not be easily scaled for many different sponsors (e.g., application service providers), unauthorized/unauthenticated traffic may flow through the operator's core network, the service access network (e.g., gateways) may be prone to an overload attack, the application service provider may be charged for non-service related traffic (e.g., traffic caused by an attack), and no “first-mile” (e.g., access through evolved node B (eNB) and/or mobility management entity (MME)) defense (i.e., filtering) may be available.

Therefore, there is a need for improved methods, apparatuses, and systems for establishing sponsored connectivity that allow user devices to access an application service provider through a wireless network for which the user devices lack subscriptions.

SUMMARY

One feature provides a method operational at a user device, the method comprising receiving, from an application service provider, an application-specific certificate associated with at least one application service provided by the application service provider, determining that a wireless communication network provides application-specific access to the application service provided by the application service provider, transmitting a registration request including the application-specific certificate to the wireless communication network for authentication of the user device, the application-specific certificate including a public key associated with the application service, performing authentication and key agreement with the wireless communication network, and communicating with the application service after authentication and key agreement is successfully performed. According to one aspect, authentication and key agreement with the wireless communication network is performed directly between the user device and the wireless communication network and independent to the application service provider. According to another aspect, the public key associated with the application service is a user device public key, and the application-specific certificate further includes an application-specific digital signature, the application-specific digital signature including the user device public key signed by a private key of the application service provider.

According to one aspect, the application-specific certificate further includes an application identifier and an application-specific digital signature, the application-specific digital signature including the public key and the application identifier both signed by a private key of the application service provider, the application identifier uniquely associated with the application service. According to another aspect, the method further comprises obtaining application-specific access to the application service after authentication and key agreement is successful. According to yet another aspect, determining that the wireless communication network provides application-specific access includes receiving an announcement broadcast by the wireless communication network of an availability of the application service through the wireless communication network.

According to one aspect, the method further comprises receiving, from the application service provider, a plurality of certificates associated with trusted wireless communication networks, the plurality of certificates including a certificate having a wireless communication network public key that is a public key of the wireless communication network. According to another aspect, the method further comprises authenticating the wireless communication network by verifying a wireless communication network digital signature using the wireless communication network public key, the wireless communication network digital signature included in an application service announcement received from the wireless communication network. According to yet another aspect, the method further comprises enabling communication between the user device and a set of application services allowed by the application service provider after authentication and key agreement is successfully performed.

Another feature provides a user device comprising a wireless communication interface adapted to wirelessly communicate with a wireless communication network, and a processing circuit communicatively coupled to the communication interface, the processing circuit adapted to receive, from an application service provider, an application-specific certificate associated with at least one application service provided by the application service provider, determine that a wireless communication network provides application-specific access to the application service provided by the application service provider, transmit a registration request including the application-specific certificate to the wireless communication network for authentication of the user device, the application-specific certificate including a public key associated with the application service, perform authentication and key agreement with the wireless communication network, and communicate with the application service after authentication and key agreement is successfully performed. According to one aspect, the processing circuit is further adapted to obtain application-specific access to the application service after authentication and key agreement is successful. According to another aspect, the processing circuit adapted to determine that the wireless communication network provides application-specific access includes the processing circuit further adapted to receive an announcement broadcast by the wireless communication network of an availability of the application service through the wireless communication network.

According to one aspect, the processing circuit is further adapted to receive, from the application service provider, a plurality of certificates associated with trusted wireless communication networks, the plurality of certificates including a certificate having a wireless communication network public key that is a public key of the wireless communication network. According to another aspect, the processing circuit is further adapted to authenticate the wireless communication network by verifying a wireless communication network digital signature using the wireless communication network public key, the wireless communication network digital signature included in an application service announcement received from the wireless communication network. According to yet another aspect, the processing circuit is further adapted to enable communication between the user device and a set of application services allowed by the application service provider after authentication and key agreement is successfully performed.

Another feature provides a user device comprising means for receiving, from an application service provider, an application-specific certificate associated with at least one application service provided by the application service provider, means for determining that a wireless communication network provides application-specific access to the application service provided by the application service provider, means for transmitting a registration request including the application-specific certificate to the wireless communication network for authentication of the user device, the application-specific certificate including a public key associated with the application service, means for performing authentication and key agreement with the wireless communication network, and means for communicating with the application service after authentication and key agreement is successfully performed. According to one aspect, the user device further comprises means for obtaining application-specific access to the application service after authentication and key agreement is successful. According to another aspect the user device further comprises means for receiving, from the application service provider, a plurality of certificates associated with trusted wireless communication networks, the plurality of certificates including a certificate having a wireless communication network public key that is a public key of the wireless communication network, and means for authenticating the wireless communication network by verifying a wireless communication network digital signature using the wireless communication network public key, the wireless communication network digital signature included in an application service announcement received from the wireless communication network.

Another feature provides a method operational at a wireless communication network device associated with a wireless communication network, the method comprising receiving, from an application service provider, an application service provider certificate that includes an application service provider public key, receiving, from a user device, a registration request for application-specific access to an application service provided by the application service provider, the registration request including an application-specific certificate signed by the application service provider, the application-specific certificate including a public key associated with the application service, verifying the application-specific certificate using the application service provider public key to authenticate the user device, and performing authentication and key agreement with the user device. According to one aspect, authentication and key agreement with the user device is performed directly between the user device and the wireless communication network device and independent to the application service provider. According to another aspect, the method further comprises receiving application service registration information associated with the application service before receiving the registration request from the user device.

According to one aspect, the method further comprises broadcasting an announcement that indicates availability of application-specific access to the application service through the wireless communication network. According to another aspect, the application service announcement includes a wireless communication network digital signature signed by a private key of the wireless communication network, the digital signature adapted for verification at the user device with a wireless communication network public key. According to yet another aspect, the public key associated with the application service is a user device public key, and the application-specific certificate further includes an application-specific digital signature, the application-specific digital signature including the user device public key signed by a private key of the application service provider.

According to one aspect, the application-specific certificate further includes an application identifier and an application-specific digital signature, the application-specific digital signature including the public key and the application identifier both signed by a private key of the application service provider, the application identifier uniquely associated with the application service. According to another aspect, the method further comprises providing application-specific access to the user device for the application service after authentication and key agreement is successful. According to yet another aspect, the method further comprises storing an application-specific certificate revocation list including a plurality of application-specific certificates provisioned to user devices that have been revoked and to which application-specific access should not be granted.

Another feature provides a wireless communication network device associated with a wireless communication network, the wireless communication network device comprising a wireless communication interface adapted to wirelessly communicate with at least a user device, and a processing circuit communicatively coupled to the wireless communication interface, the processing circuit adapted to receive, from an application service provider, an application service provider certificate that includes an application service provider public key, receive, from the user device, a registration request for application-specific access to an application service provided by the application service provider, the registration request including an application-specific certificate signed by the application service provider, the application-specific certificate including a public key associated with the application service, verify the application-specific certificate using the application service provider public key to authenticate the user device, and perform authentication and key agreement with the user device. According to one aspect, the processing circuit is further adapted to receive application service registration information associated with the application service before receiving the registration request from the user device. According to another aspect, the processing circuit is further adapted to broadcast an announcement that indicates availability of application-specific access to the application service through the wireless communication network.

According to one aspect, the processing circuit is further adapted to provide application-specific access to the user device for the application service after authentication and key agreement is successful. According to another aspect, the processing circuit is further adapted to store an application-specific certificate revocation list including a plurality of application-specific certificates provisioned to user devices that have been revoked and to which application-specific access should not be granted.

Another feature provides a wireless communication network device comprising means for receiving, from an application service provider, an application service provider certificate that includes an application service provider public key, means for receiving, from a user device, a registration request for application-specific access to an application service provided by the application service provider, the registration request including an application-specific certificate signed by the application service provider, the application-specific certificate including a public key associated with the application service, means for verifying the application-specific certificate using the application service provider public key to authenticate the user device, and means for performing authentication and key agreement with the user device. According to one aspect, the wireless communication network device further comprises means for receiving application service registration information associated with the application service before receiving the registration request from the user device. According to another aspect, the wireless communication network device further comprises means for providing application-specific access to the user device for the application service after authentication and key agreement is successful.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a high-level schematic diagram of a communication system featuring sponsored connectivity (i.e., “application-specific access”) for one or more application services.

FIG. 2 illustrates a high-level flow chart for providing sponsored connectivity using application-specific credentials.

FIGS. 3 and 4 illustrate various processes/steps that are executed within an exemplary communication system for establishing sponsored connectivity using a shared key as an application-specific credential.

FIGS. 5 and 6 illustrate various processes/steps that are executed within an exemplary communication system for establishing sponsored connectivity using a public key certificate as an application-specific credential.

FIGS. 7A and 7B illustrate a process flowchart for executing sponsored connectivity using a shared key.

FIGS. 8A and 8B illustrate a process flowchart for executing sponsored connectivity using a public key certificate.

FIG. 9 illustrates a process flowchart for executing sponsored connectivity using a public key.

FIG. 10 illustrates a schematic block diagram of a user device.

FIG. 11 illustrates a first exemplary schematic block diagram of the user device's processing circuit.

FIG. 12 illustrates a second exemplary schematic block diagram of the user device's processing circuit.

FIG. 13 illustrates a flowchart of a first exemplary method operational at a user device for obtaining application-specific access.

FIG. 14 illustrates a flowchart of a second exemplary method operational at a user device for obtaining application-specific access.

FIG. 15 illustrates a schematic block diagram of a wireless communication network device.

FIG. 16 illustrates a first exemplary schematic block diagram of the network device's processing circuit.

FIG. 17 illustrates a second exemplary schematic block diagram of the network device's processing circuit.

FIG. 18 illustrates a flowchart of a first exemplary method operational at a network device for providing application-specific access.

FIG. 19 illustrates a flowchart of a second exemplary method operational at a network device for providing application-specific access.

DETAILED DESCRIPTION

In the following description, specific details are given to provide a thorough understanding of the various aspects of the disclosure. However, it will be understood by one of ordinary skill in the art that the aspects may be practiced without these specific details. For example, circuits may be shown in block diagrams in order to avoid obscuring the aspects in unnecessary detail. In other instances, well-known circuits, structures and techniques may not be shown in detail in order not to obscure the aspects of the disclosure.

The word “exemplary” is used herein to mean “serving as an example, instance, or illustration.” Any implementation or aspect described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects of the disclosure. Likewise, the term “aspects” does not require that all aspects of the disclosure include the discussed feature, advantage, or mode of operation. As used herein, the term “application service” refers to an application and/or service provided by and/or allowed access to by an application service provider. The term “application service provider” refers to an entity that provides an application service.

FIG. 1 illustrates a high-level schematic diagram of a communication system 100 featuring sponsored connectivity (i.e., “application-specific access”) for one or more application services according to one aspect of the disclosure. The system includes a plurality of user devices 102 (e.g., user equipment (UE)) that are in wireless communication 103 with a wireless communication network 104 (e.g., wireless cellular network). The wireless communication network 104 may include one or more radio access networks 106 and a core network 108. The plurality of user devices 102 may access (i.e., communicate with) an application service provider 112 through the wireless communication network 104 and any other packet data networks (PDNs) 110 (e.g., internet, instant messaging services (IMS), etc.) there between. For instance, the plurality of devices 102 may desire access to one or more application services 114 provided by (e.g., hosted by) and/or allowed access to by the application service provider 112. For example, the application service 114 may be software provided by the application service provider 112. As another example, the application service 114 may allow the user devices 102 to access other applications, data, websites, and/or services not provided/owned by the application service provider 114. In this sense the application service 112 may allow the user devices 102 to access a general data connection too in some cases.

According to one aspect, the user devices 102 are wireless communication devices such as, but not limited to, mobile phones, smartphones, laptops, personal digital assistants (PDAs), tablets, computers, smartwatches, and head-mounted wearable computers (e.g., Google Glass®). According to one aspect, the cellular network 104 may be any wireless network including but not limited to the Global System for Mobile Communications (GSM) network, Universal Mobile Telecommunications System (UMTS) network, the long term evolution (LTE) network, and any other wireless communication network. According to one aspect, the application service 114 may be any electronic application and/or service such as, but not limited to, a website, software, program, a database, etc. that is provided, hosted and/or otherwise managed by the application service provider 112. One or more servers or other hardware devices may comprise the application service provider 112 to facilitate the operation of the application service 114. Although only one application service 114 is shown, the application service provider 114 may provide a plurality of different application services (e.g., a set of services). Similarly, although only one application service provider 112 is shown, there may a plurality of different application service providers each providing one or more application services that may be available through application-specific access through the wireless communication network 104.

The user devices 102 may not have a subscription or any existing relationship with the wireless communication network 104. Thus, ordinarily the user devices 102 may not be able to use the wireless communication network 104 to generally send or receive data. However, given pre-negotiated arrangements and agreements between the application service provider 112 and the wireless communication network's 104 operator, the wireless communication network 104 may allow the user devices 102 to access the application service provider 112 and/or its application service 114 using the network 104 and charge at least a portion, if not all, of the fees, if any, for such usage to the application service provider 114. In this sense the application service provider 112 sponsors the user devices' usage of the wireless communication network 104 and the user devices 102 therefore have sponsored connectivity to the application service provider 112 and/or application service 114.

FIG. 2 illustrates a high-level flow chart 200 for providing sponsored connectivity using application-specific credentials according to one aspect of the disclosure. Generally, the process for providing a user device sponsored connectivity to a wireless network includes setup 202 (e.g., setup phase) and authentication 204 (e.g., authentication phase).

During setup 202, a user device may be provisioned with an application-specific credential 206 by the application service provider. The application-specific credential allows the user device to be authenticated for application-specific access to an application service provided by the application service provider through the wireless communication network. The application-specific credential may be supplied in a secure manner such as, but not limited to, encrypting the credential using the user device's public key (if any) and/or using a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) cryptographic protocol. The application-specific credential may be based on a shared key (e.g., symmetric key), a user device public key certificate, and/or a combination of the two. For example, in one aspect the application-specific credential may be a shared key provided to the user device and also stored at the application service provider. As another example, the application-specific credential may be an application-specific certificate that includes an application-specific digital signature. The application-specific credential may be stored in a secure execution environment or trusted execution environment of the user device. One non-limiting, non-exclusive example of a secure execution environment is TrustZone® in the ARM® architecture.

Also during setup 202, the user device may be provisioned 208 with a plurality of certificates associated with trusted wireless communication networks. For example, the plurality of certificates may be a list of trusted mobile network operators' (MNO) certificates. The application service provider may also perform service provisioning 210 that includes registering an application service with a service provisioning function (SPF) that may be part of the wireless communication network. The SPF may in turn provision 210 one or more wireless communication network devices (e.g., RAN, MME, etc.) with the application service provider's public key in the case where the application-specific credential is the application-specific certificate. According to one example, the application service provider's public key may be provided to the network devices by itself. As another example, it may be provided in the form of a certificate: either self-signed certificate (i.e., application service provider public key certificate signed by the application service provider) or third party signed certificate.

After setup 202, authentication 204 and key agreement may be performed based on whether the application-specific credential used is a shared key 212 or a public key certificate 214. In the case where the application-specific credential is a shared key 212, the application service provider acts as a home subscriber service (HSS) authentication, authorization and accounting (AAA) entity. The shared key is kept secret and may be pre-shared between the user device and the application service provider via an out of band communication channel (e.g., Wi-Fi®) that is different from the main communication channel (e.g., data path shown in FIG. 4) between the user device and the application service provider. In one aspect, a data connection (e.g., data communication channel via the Internet) is established between the wireless communication network device(s) (e.g., MME) and the application service provider since the MME and the application service provider may not have a direct signaling channel (e.g., control channel) between one other. At first, the data connection may be used only to forward an authentication information request to the application service provider in order to authenticate the user device (e.g., successfully perform authentication and key agreement). Only once the user device is authenticated may the user device also transmit data traffic to the application service provider through the data connection and/or another data connection. Moreover, application-specific traffic/mobility handling (e.g., bearer pre-configuration) to the application server may be configured.

In the case where the application-specific credential is the application-specific certificate, the wireless communication network may authenticate the user device attempting to gain sponsored connectivity through the network by verifying the application-specific digital signature contained within the application-specific certificate. Network access authentication is performed within the wireless network without having to contact the application service provider. That is, the network access authentication may be performed between the wireless communication network and the user device independent to the application service provider (i.e., without having to contact the application service provider for authentication). Thus, application-specific authentication and filtering in such a case can be enforced in the “first mile” (e.g., enforced by an RAN and/or MME). Similarly, the user device may use the plurality of certificates associated with the trusted wireless communication networks it was provisioned with to authenticate the specific wireless communication network with which it is attempting to establish sponsored connectivity for an application service. Specifically, the user device may use these certificates to verify one or more digital signatures included in announcements (e.g., application service announcements) broadcast by the wireless communication network.

FIGS. 3 and 4 illustrate various processes/steps that are executed within an exemplary communication system 300 for establishing sponsored connectivity using a shared key as an application-specific credential according to one aspect of the disclosure. Referring to FIG. 3, the application service provider (ASP) 112 may first register an application service 114 to the wireless communication network 104 via a service provisioning function (SPF) 302 (Steps A1 or A2 and Step B). In some aspects the SPF 302 may be part of the wireless communication network 104 (e.g., it may be software residing at any network device of the network 104). Registration of the application service to the wireless communication network 104 may include providing/provisioning application service registration information that may include an application identifier that is uniquely associated to the application service, billing relation information, interface setup information between the SPF 302 and the ASP 112 (e.g., security associated information, virtual private network information, etc.), and so on. The application service registration information may be provided to network devices of the network 104 including, but not limited to, the RAN 106, MME 304, and/or the Service Query Protocol (SQP) server 303.

According to one aspect, the ASP 112 may communicate directly with the SPF 302 and transmit the application service registration information directly to the SPF 302 (i.e., step A1). In other aspects, the ASP 112 may not have a direct interface with the wireless communication network 104 and/or the SPF 302 and consequently the ASP 112 may transmit the application service registration information to the SPF 302 using a data line connection through the PDNs 110 and one or more packet data networks gateways (P-GW) 308 (i.e., Step A2). The SQP server 303 may handle queries from the user device 102 and provide at least a portion of the application service registration information received from the SPF 302 to the user device 102.

At Step C, the ASP 112 performs device registration where, among other things, the ASP 112 may provision the user device 102 with the application-specific credential, which in this case is a shared key that is uniquely associated with the user device 102. The ASP 112 may also provide an application identifier that identifies the application service the user device 102 wishes to access using sponsored connectivity. The ASP 112 may provide the application-specific credential to the user device 102 in a secure manner such as using the user device's public key or a secure channel (e.g., TLS). The application-specific credential may be stored in a secure execution environment of the user device 102. According to one aspect, the application-specific credential provisioning may be skipped if a password or an access token for the application access is used for the network access.

Referring to FIG. 4, an attach procedure (step D) is performed between the user device 102 and the application service provider 112. This consists of the user device 102 transmitting a registration request (e.g., attach request) to the wireless communication network 104. The registration request may include a device identifier identifying the user device 102 and an application identifier identifying the application service 114 to which the user device 102 desires sponsored connectivity. In one example, the application identifier may be a fully qualified domain name (FQDN). The wireless communication network 104 (e.g., MME 304) may then forward an authentication information request that includes the registration request and a serving network identifier to the application service provider 112 through the data path (see dashed arrow labeled “data path” in FIG. 4). The data path may be a secure data channel (e.g., TLS or hypertext transfer protocol secure (HTTPS)). Thus, the authentication information request message goes through one or more serving gateways (S-GWs) 306, one or more P-GWs 308, and one or more packet data networks 110 to reach the application service provider 112 from the MME 304. By contrast, in the prior art, authentication requests pertaining to granting a user device general cellular network access are sent to an HSS/AAA entity 402/404 from the MME 304 over a dedicated, direct control path and interface with an MME (e.g., S6a interface) instead of through the data path. The ASP 112 may then look up the shared key associated with the device identifier and application identifier it received in the authentication information request and supply authentication information back to the wireless communication network 104 to facilitate authentication and key agreement with the user device 102.

FIGS. 5 and 6 illustrate various processes/steps that are executed within an exemplary communication system 500 for establishing sponsored connectivity using a public key certificate as an application-specific credential according to one aspect of the disclosure. Referring to FIG. 5, the ASP 112 may first register an application service 114 to the wireless communication network 104 via a service provisioning function (SPF) 502 (Steps A1 or A2 and Step B). In some aspects the SPF 502 may be part of the wireless communication network 104 (e.g., it may be software residing at any network device of the network 104). Registration of the application service 114 with the wireless communication network 104 may include providing/provisioning application service registration information that may include an application identifier that is uniquely associated to the application service, billing relation information, interface setup information between the SPF 302 and the ASP 112 (e.g., security associated information, virtual private network information, etc.), and so on. The application service registration information may be provided to network devices of the network 104 including, but not limited to, the RAN 106, MME 304, and/or the Service Query Protocol (SQP) server 303. The ASP 112 also provisions one or more network devices, such as the RAN 106 and/or the MME 304 with an application service provider public key (Step B). The public key may be provided by itself or in the form of a certificate (e.g., self-signed application service provider public key certificate or a certificate signed by a third party). In one aspect, the ASP 112 provides a different application service provider public key (or application service provider public key certificate) to the network devices 106, 304 for each application service 114 it hosts. In another aspect, the ASP 112 may provide the same application service provider public key (or application service provider public key certificate) to the network devices 106, 304 for each application service 114 it hosts.

According to one aspect, the ASP 112 may communicate directly with the SPF 502 and transmit the application service registration information including the application service provider certificate (ASP's public key certificate or ASP's public key) directly to the SPF 502 (i.e., step A1). In other aspects, the ASP 112 may not have a direct interface with the wireless communication network 104 and/or the SPF 502 and consequently the ASP 112 may transmit the application service registration information and the application service provider certificate to the SPF 502 using a data line connection through the PDNs 110 and one or more packet data networks gateways (P-GW) 308 (i.e., Step A2). The SQP server 303 may handle queries from the user device 102 and provide at least a portion of the application service registration information received from the SPF 502 to the user device 102.

At Step C, the ASP 112 performs device registration where, among other things, the ASP 112 may provision the user device 102 with the application-specific credential, which in this case may be an application-specific certificate. The application-specific certificate may be a simple public key infrastructure (SPKI) certificate ([identity+public key], [authorizations/signature]) that includes the user device identifier, user device public key, and an application-specific digital signature. The application-specific digital signature may be the user device's 102 public key signed by a private key of the application service provider (i.e., application service provider's private key). In some aspects, the application-specific digital signature may also include the application identifier (i.e., the ASP 112 signs both the application identifier and the user device's 102 public key). In the latter case, the application-specific certificate also includes the application identifier. According to one aspect, the private key used by the application service provider 112 to sign the application-specific digital signature may be uniquely associated with each application service 114 the application service provider 112 provides/hosts. In one aspect, rather than provisioning the user device 102 with the entire application-specific certificate, the ASP 112 provisions the user device 102 with simply the application-specific digital signature and the user device may later append its user device identifier, user device public key, and in some cases the application identifier, to form the complete application-specific certificate.

The application service provider 112 may provide the application-specific certificate to the user device 102 in a secure manner such as using the user device's public key or a secure channel (e.g., TLS). The application-specific certificate may be stored in a secure execution environment or trusted execution environment of the user device 102. According to one aspect, the application-specific credential provisioning may be skipped if a password or an access token for the application access is used for the network access.

Referring to FIG. 6, an attach procedure (step D) is performed between the user device 102 and the application service provider 112. This consists of the user device 102 transmitting a registration request (e.g., attach request) to the wireless communication network 104. The registration request includes the application-specific certificate. The MME 304 verifies the application-specific digital signature included in the certificate to verify the identity of the user device 102. Similarly, the MME 304 may broadcast an application service announcement to the user device 102 that includes a wireless communication network digital signature. The user device 102 may verify the wireless communication network digital signature using a public key of the wireless communication network 104 that was provisioned to it by the application service provider 112. The MME 304 and the user device 102 may then perform authentication and key agreement with each other independent to the application service provider 112 (i.e., without having to contact the application service provider 112 for authentication of the user device). Thus, authentication and key agreement is performed in the “first mile” (i.e., at the MME 304) and not further into the core network 108.

In some aspects, the application-specific credential may include a combination of a shared key(s) and application-specific certificate(s). For example, the application-specific certificate may be used for initial identify verification of the user device 102, and a shared key may be used for authentication and key agreement.

FIGS. 7A and 7B illustrate a process flowchart 700 for executing sponsored connectivity using a shared key according to one aspect of the disclosure. When a user registers the user device 102 to the application service provider 112 (e.g., application server) the user device 102 is provisioned 702 with a shared key by the application service provider 112. In some aspects, the user device 102 may also be provisioned with a device identifier (e.g., user identifier) and/or an application identifier (e.g., fully qualified domain name) associated with an application service by the application service provider. In other aspects, the user device 102 may already be in possession of a user identifier (e.g., at the time of manufacture) and it provides this device identifier to the ASP 112 during device registration so that the ASP 112 can associate the device identifier with the shared key. The device identifier may be an international mobile station equipment identifier (IMEI), an Institute of Electrical and Electronics Engineers (IEEE) Extended Unique Identifier (EUI) address (e.g., EUI-48 or EUI-64) (i.e., media access control (MAC) address), mobile station subscriber international subscriber directory number (MSISDN), network access identifier (NAI), etc. The shared key is kept secret and may be pre-shared between the user device 102 and the application service provider 112 via an out of band communication channel (e.g., Wi-Fi®). The application service provider 112 also stores 704 the shared key associated with the user device 102 (e.g., associated with the device identifier of the user device 102). The application service provider 112 may also register the application service to the mobile network operator's (MNO's) wireless network 104 so the network 104 can then begin to broadcast/transmit application service announcements for availability of sponsored connectivity for the application service.

A service discovery procedure is performed 706 between the user device 102 and the RAN 106 (e.g., eNB) of the wireless network 104 that allows the user device 102 to detect whether the wireless network 104 provides the application service(s) that the user device 102 may be interested in. The service discovery may be enabled by a service provisioning function via Service Query Protocol (SQP), which has a similar functionality to a generic advertisement service (GAS) and active network query protocol (ANQP). Once the user device 102 determines that the wireless network 104 provides sponsored connectivity to the application service(s) that it wants, the user device 102 sends 708 a registration request (e.g., attach request) message that includes its device identifier and the application identifier (e.g., FQDN) to the RAN 106. The RAN 106 forwards 710 the registration request message to the MME 304. The MME 304 then adds 712 a serving network identifier (e.g., an identifier that identifies the serving network) to the registration request message to form an authentication information request. The MME then sends 714 the authentication information request message to the application service provider 112 over a data path (e.g., data channel, data traffic communication line, data connection, etc., see “Data Path” in FIG. 4), which may be secure (e.g., TLS or hypertext transfer protocol secure (HTTPS)). Thus, the authentication information request message goes through one or more S-GWs 506, one or more P-GWs 508, and one or more packet data networks 110 before reaching the application service provider 112. By contrast, in the prior art, authentication requests pertaining to granting a user device cellular network access are sent to an HSS/AAA entity over a dedicated, direct control channel interface with an MME (e.g., S6a interface) instead of through a data connection.

The application service provider 112 derives 716 an authentication vector (AV) from the shared key associated with the user device 102 and sends 718 the AV to the MME 304. Derivation of the AV is described in 3GPP 33.401 where AV=[K_ASME, AUTN, RAND, XRES] and K_ASME is a key (e.g., access security management entity (ASME), AUTN is an authentication token, RAND is a random number, and XRES is the expected response. The MME 304 stores 720 the values K_ASME and XRES in local memory and forwards 722 RAND and AUTN to the user device 102. The user device 102 validates the value AUTN received using its stored shared key. If the value AUTN is valid, the user device 102 derives 724 an authentication response (RES) for the serving network 104 and also derives K_ASME. The user device 102 sends 726 the value RES to the MME 304. The MME 304 verifies 728 if XRES=RES. If the verification is successful, non-access stratum (NAS) and access stratum (AS) key setup is executed 730 between the user device 102 and the MME 304.

FIGS. 8A and 8B illustrate a process flowchart 800 for executing sponsored connectivity using a public key certificate according to one aspect of the disclosure. When the user device 102 registers with the application service provider 112, the application service provider 112 provisions 802 the user device 102 with an application-specific certificate. The ASP 112 may also provision the user device 102 with a device identifier and/or a trusted MNO and certificate list that includes a plurality of public key certificates of trusted wireless communication networks (e.g., MNOs). In one aspect, the user device 102 has its own device identifier that it provides to the ASP 112 during device registration so that the ASP stores the device identifier associated with the application-specific certificate provided. The device identifier may be an IMEI, IEEE EUI-48/EUI-64 address (i.e., MAC address), MSISDN or NAI. Alternatively, a device identifier may be the hash of its public key.

The application service provider 112 also transmits application service registration information to components/devices of the wireless communication network 104 (e.g., via an SPF 502 see FIG. 5). Application service registration information may include an application identifier that is uniquely associated to the application service, billing relation information, interface setup information between an SPF and the ASP 112 (e.g., security associated information, virtual private network information, etc.), and so on. The ASP 112 also provisions 804 one or more network devices, such as the RAN 106 and/or the MME 304 with an application service provider certificate (e.g., ASP's public key certificate). The ASP certificate may be self-signed (i.e., signed by the ASP) or signed by a trusted third party entity. In some aspects, the ASP may merely provision the one or more network devices with simply the public key (i.e., not the public key certificate).

As part of an application service announcement 806 by the RAN 106, a protocol similar to GAS/ANQP may be used for service discovery. The application service announcement may include a wireless communication network digital signature. If the service announcement includes such a digital signature, the user device 102 may verify 808 the digital signature using the wireless communication network public key that was provisioned to it in the trusted MNO's certificate list by the application service provider 112. The user device 102 may then send 810 a registration request to the MME 304 that includes the application-specific certificate. The registration request may also include the device identifier and a first random number (e.g., Nonce_(U)). The MME 304 may then verify 811 the application-specific digital signature included in the application-specific certificate using the application service provider certificate (i.e., using the public key of the ASP certificate) it was previously provisioned with. This verifies/authenticates 811 the identity of the user device 102.

Once verification 811 is successful, the MME 304 may then randomly generate 812 a key (K_ASME) and encrypt 814 K_ASME using the user device's 102 public key PK_UD (i.e., EncPK_UD(K_ASME) where Enc( ) is an encryption function). The MME 304 may then randomly generate a second random number (e.g., Nonce_(M)) and compute 816 XRES=HMAC(K_ASME, Nonce_(U)|Nonce_(M)) (where HMAC( ) is a keyed-hash message authentication code). The MME 304 then executes 818 a signature over EncPK_UD(K_ASME), Nonce_(M), PK_MME (where PK_MME is the public key of the MME 304). The MME 304 sends 820 EncPK_UE(K_ASME), Nonce_(M), PK_MME, and the signature to the user device 102. The user device 102 verifies the signature, decrypts K_ASME using its private key, and computes 822 RES=HMAC(K_ASME, Nonce_(U)|Nonce_(M)). The user device 102 sends 824 the value RES to the MME 304. The MME 304 compares 826 the value RES to the value XRES, and if they match (i.e., MME 304 successfully authenticates the user device), NAS and application service (AS) key setup is executed 828 between the user device 102 and the MME 304.

According to one aspect, the application service provider 112 may provide a certificate revocation list to the wireless communication network 104, which may then store the revocation list at the certificate service function (CSF) 801. The revocation list identifies those application-specific certificates that have been revoked or are otherwise invalid. The MME 304 may check with the CSF 801 to determine whether or not a user device attempting to obtain application-specific access has provided an application-specific certificate that is on the revocation list. If it is then the MME 304 may deny authentication of the user device 102 (i.e., deny application-specific access). According to one aspect, the CSF 801 stores an application-specific certificate for the duration of its lifetime (i.e., until its expiration date) regardless of whether the certificate is revoked prior to its expiration. For instance, an application-specific certificate may have a 1 year lifetime (i.e., expires in 1 year) but may be revoked after just one month. The CSF 801 may nevertheless store the certificate for the 11 months remaining in its lifetime. In another aspect, the CSF 801 may run an online certificate status protocol (OCSP) responder to provide certificate revocation status to the MMEs 304.

FIG. 9 illustrates a process flowchart 900 for executing sponsored connectivity using a public key according to one aspect of the disclosure. When the user device 102 registers with the application service provider 112, the application service provider 112 may provision 902 the user device 102 with a device identifier and a trusted MNO and certificate list that includes a plurality of public key certificates of trusted wireless communication networks (e.g., MNOs). The device identifier may be an IMEI, IEEE EUI-48/EUI-64 address (i.e., MAC address), MSISDN or NAI, or hash of its public key. The user device 102 also provides the ASP 112 with its public key which the ASP 112 may store.

The application service provider 112 also transmits application service registration information to components/devices of the wireless communication network 104. Application service registration information may include an application identifier that is uniquely associated to the application service, billing relation information, interface setup information between an SPF and the ASP 112 (e.g., security associated information, virtual private network information, etc.), and so on. The ASP 112 also provisions 904 one or more network devices, such as the RAN 106 and/or the MME 304 with a list of user device public keys that are approved for application-specific access for the application service provided by the application service provider.

As part of an application service announcement 906 by the RAN 106, a protocol similar to GAS/ANQP may be used for service discovery. The application service announcement may include a wireless communication network digital signature. If the service announcement includes such a digital signature, the user device 102 may verify 908 the signature using the wireless communication network public key that was provisioned to it in the trusted MNO's certificate list by the application service provider 112. The user device 102 may then send 910 a registration request to the MME 304 that includes the user device public key. The registration request may also include the device identifier and a first random number (e.g., Nonce_(U)). The MME 304 may then check to verify 912 the identity of the user device by checking to see whether the public key provided by the user device matches a public key on the list of approved public keys provided to it earlier by the application service provider 112. If it does then the user device's 102 identity is verified. If not then authentication is failed and the user device 102 may not be able to obtain application-specific access. After verification 912, the process 900 may follow the same the authorization and key agreement process shown in FIGS. 8A and 8B (steps 812 through 828).

According to one aspect, the application-specific credential may not be based on a subscriber identity module (SIM) credential or a universal subscriber identity module (USIM) credential since the user device may not have a SIM or USIM. The application-specific credential may only permit access through the wireless network 104 to a specific application service 114 of the application service provider 112, or to a set of application services. Some non-limiting, non-exclusive examples of how the application-specific credential may be provisioned in a secure manner when the application-specific credential includes a shared key include a dynamic symmetric key provisioning protocol (DSKPP (RFC 6063)) and/or a cryptographic token key initialization protocol (CT-KIP (RFC 4758)). When the application-specific credential includes a public key certificate, a certificate management over cryptographic message syntax (CMS (RFC 5272, 6402)) protocol may be used to securely provision the application-specific credential.

FIG. 10 illustrates a schematic block diagram of the user device 102 according to one aspect of the disclosure. The user device 102 may be any wireless communication device such as, but not limited to, a mobile phone, a smartphone, a laptop, a personal digital assistant (PDA), a tablet, a computer, a smartwatch, and a head-mounted wearable computer (e.g., Google Glass®). The user device 102 may include at least one or more wireless communication interfaces 1002, one or more memory circuits 1004, one or more input and/or output (I/O) devices/circuits 1006, and/or one or more processing circuits 1008 that may be communicatively coupled to one another. For example, the interface 1002, the memory circuit 1004, the LO devices 1006, and the processing circuit 1008 may be communicatively coupled to each other through a bus 1010. The wireless communication interface 1002 allows the user device 102 to communicate wirelessly with the wireless communication network 104. Thus, the interface 1002 allows the user device 102 to communicate wirelessly with wireless wide area networks (WWAN), such as mobile telecommunication cellular networks, as well as short range, wireless local area networks (e.g., WiFi®, Zigbee®, Bluetooth®, etc.). The wireless communication interface 1002 represents one example of a means for the user device to communicate with an application service after authentication and key agreement is successfully performed.

The memory circuit 1004 may include one or more volatile memory circuits and/or non-volatile memory circuits. Thus, the memory circuit 1004 may include dynamic random access memory (DRAM), static random access memory (SRAM), magnetoresistive random access memory (MRAM), electrically erasable programmable read-only memory (EEPROM), flash memory, etc. The memory circuit 1004 may store one or more cryptographic keys, such as shared keys and public key certificates (e.g., application-specific certificates, wireless communication network public key certificates, trusted MNO certificates, etc.). The memory circuit 1004 may also store instructions that may be executed by the processing circuit 1008. The I/O devices/circuits 1006 may include one or more keyboards, mice, displays, touchscreen displays, printers, fingerprint scanners, and any other input and/or output devices.

The processing circuit 1008 (e.g., processor, central processing unit (CPU), application processing unit (APU), etc.) may execute instructions stored at the memory circuit 1006 and/or instructions stored at another computer-readable storage medium (e.g., hard disk drive, optical disk drive, solid-state drive, etc.) communicatively coupled to the user device 102. The processing circuit 1008 may perform any one of the steps and/or processes of the user device 102 described herein including those discussed with reference to FIGS. 2, 3, 4, 5, 6, 7A, 7B, 8A, 8B, 9, 13, and 14. According to one aspect, the processing circuit 1008 may be a general purpose processor. According to another aspect, the processing circuit may be hard-wired (e.g., it may be an application-specific integrated circuit (ASIC)) to perform the steps and/or processes of the user device 102 described herein including those discussed with reference to FIGS. 2, 3, 4, 5, 6, 7A, 7B, 8A, 8B, 9, 13, and 14.

FIG. 11 illustrates a schematic block diagram of the user device processing circuit 1008 according to one aspect. The processing circuit 1008 may include a shared key receiving circuit 1102, a sponsored connectivity determination circuit 1104, a registration request transmission circuit 1106, an authentication information receiving circuit 1108, and/or an authorization and key agreement (AKA) performing circuit 1110. According to one aspect, these circuits 1102, 1104, 1106, 1108, 1110 may be ASICs and are hard-wired to perform their respective processes. The shared key receiving circuit 1102 may be one example of a means for receiving and storing a shared key from an application service provider. The sponsored connectivity determination circuit 1104 may be one example of a means for determining that a wireless communication network provides application-specific access to an application service provided by the application service provider. The registration request transmission circuit 1106 may be one example of a means for transmitting a registration request that includes a device identifier and an application identifier associated with the application service to the wireless communication network. The authentication information receiving circuit 1108 may be one example of a means for receiving, from the wireless communication network, authentication information derived at the application service provider that is based in part on the shared key. The AKA performing circuit 1110 may be one example of a means for performing authentication and key agreement with the wireless communication network based on the authentication information and the stored shared key.

FIG. 12 illustrates a schematic block diagram of the user device processing circuit 1008 according to another aspect. The processing circuit 1008 may include a certificate receiving circuit 1202, a sponsored connectivity determination circuit 1204, a registration request transmission circuit 1206, and/or an authorization and key agreement (AKA) performing circuit 1208. According to one aspect, these circuits 1202, 1204, 1206, 1208 may be ASICs and are hard-wired to perform their respective processes. The certificate receiving circuit 1202 may be one example of a means for receiving, from an application service provider, an application-specific certificate associated with at least one application service provided by the application service provider. The sponsored connectivity determination circuit 1204 may be one example of a means for determining that a wireless communication network provides application-specific access to an application service provided by the application service provider. The registration request transmission circuit 1206 may be one example of a means for transmitting a registration request including the application-specific certificate to the wireless communication network for authentication of the user device, the application-specific certificate including a user device public key. The AKA performing circuit 1208 may be one example of a means for performing authentication and key agreement with the wireless communication network.

FIG. 13 illustrates a flowchart 1300 of a method operational at a user device 102 for obtaining application-specific access according to one aspect of the disclosure. First, the user device 102 receives and stores a shared key from an application service provider 1302. Then, the user device 102 determines that a wireless communication network provides application-specific access to an application service provided by an application service provider 1304. Next, a registration request is transmitted that includes a device identifier and an application identifier associated with the application service to the wireless communication network, the registration request adapted for transmission to the application service provider using a data connection through a packet data network 1306. Then, the user device 102 receives, from the wireless communication network, authentication information derived at the application service provider that is based in part on the shared key 1308. Next, authentication and key agreement is performed with the wireless communication network based on the authentication information and the stored shared key 1310. Then, the user device may communicate with the application service after authentication and key agreement is successfully performed 1312.

FIG. 14 illustrates a flowchart 1400 of a method operational at a user device 102 for obtaining application-specific access according to one aspect of the disclosure. First, the user device 102 receives, from an application service provider, an application-specific certificate associated with an application service provided by the application service provider 1402. Then, the user device 102 determines that a wireless communication network provides application-specific access to the application service provided by the application service provider 1404. Next, a registration request including the application-specific certificate is transmitted to the wireless communication network for authentication of the user device, the application-specific certificate including a user device public key 1406. Then, the user device 102 performs authentication and key agreement with the wireless communication network 1408. Next, the user device may communicate with the application service after authentication and key agreement is successfully performed 1410.

FIG. 15 illustrates a schematic block diagram of a wireless communication network device 1500 according to one aspect of the disclosure. The network device 1500 may be any one of the components/devices of the wireless communication network 104 (see FIGS. 1, 3, and 5) including, but not limited to, the RAN 106 and/or the MME 304. The network device 1500 may include at least one or more wireless communication interfaces 1502, one or more memory circuits 1504, one or more input and/or output (I/O) devices/circuits 1506, and/or one or more processing circuits 1508 that may be communicatively coupled to one another. For example, the interface 1502, the memory circuit 1504, the I/O devices 1506, and the processing circuit 1508 may be communicatively coupled to each other through a bus 1510. The wireless communication interface 1502 allows the network device 1500 to communicate wirelessly with the user device 102. Thus, the interface 1502 allows the network device 1500 to communicate wirelessly through wireless wide area networks (WWAN), such as mobile telecommunication cellular networks, and/or short range, wireless local area networks (e.g., WiFi®, Zigbee®, Bluetooth®, etc.).

The memory circuit 1504 may include one or more volatile memory circuits and/or non-volatile memory circuits. Thus, the memory circuit 1504 may include DRAM, SRAM, MRAM, EEPROM, flash memory, etc. The memory circuit 1504 may store one or more cryptographic keys such as public key certificates (e.g., application service provider certificates). The memory circuit 1504 may also store instructions that may be executed by the processing circuit 1508. The I/O devices/circuits 1506 may include one or more keyboards, mice, displays, touchscreen displays, printers, fingerprint scanners, and any other input and/or output devices.

The processing circuit 1508 (e.g., processor, central processing unit (CPU), application processing unit (APU), etc.) may execute instructions stored at the memory circuit 1506 and/or instructions stored at another computer-readable storage medium (e.g., hard disk drive, optical disk drive, solid-state drive, etc.) communicatively coupled to the network device 1500. The processing circuit 1508 may perform any one of the steps and/or processes of the network devices 106, 304, 306, 308 described herein including those discussed with reference to FIGS. 2, 3, 4, 5, 6, 7A, 7B, 8A, 8B, 9, 18, and 19. According to one aspect, the processing circuit 1508 may be a general purpose processor. According to another aspect, the processing circuit 1508 may be hard-wired (e.g., it may be an application-specific integrated circuit (ASIC)) to perform the steps and/or processes of the network devices 106, 304, 306, 308 described herein including those discussed with reference to FIGS. 2, 3, 4, 5, 6, 7A, 7B, 8A, 8B, 9, 18, and 19.

FIG. 16 illustrates a schematic block diagram of the network device processing circuit 1508 according to one aspect. The processing circuit 1508 may include a registration request receiving circuit 1602, an authentication information transmission circuit 1604, an authentication information receiving circuit 1606, and/or an authorization and key agreement (AKA) performing circuit 1608. According to one aspect, these circuits 1602, 1604, 1606, 1608 may be ASICs and are hard-wired to perform their respective processes. The registration request receiving circuit 1602 may be one example of a means for receiving, from a user device, a registration request for application-specific access to an application service provided by an application service provider. The authentication information transmission circuit 1604 may be one example of a means for transmitting an authentication information request including the registration request and a serving network identifier identifying the wireless communication network to the application service provider using a data connection through a packet data network. The authentication information receiving circuit 1606 may be one example of a means for receiving authentication information from the application service provider in response to transmitting the authentication information request. The AKA performing circuit 1608 may be one example of a means for performing authentication and key agreement with the user device based on the authentication information.

FIG. 17 illustrates a schematic block diagram of the network device processing circuit 1508 according to another aspect. The processing circuit 1508 may include an application service provider certificate receiving circuit 1702, a registration request receiving circuit 1704, a certificate verification circuit 1706, and/or an authorization and key agreement (AKA) performing circuit 1708. According to one aspect, these circuits 1702, 1704, 1706, 1708 may be ASICs and are hard-wired to perform their respective processes. The application service provider certificate receiving circuit 1702 may be one example of a means for receiving, from an application service provider, an application service provider certificate that includes an application service provider public key. The registration request receiving circuit 1704 may be one example of a means for receiving, from a user device, a registration request for application-specific access to an application service provided by an application service provider. The certificate verification circuit 1706 may be one example of a means for verifying the application-specific certificate using the application service provider public key to authenticate the user device. The AKA performing circuit 1708 may be one example of a means for performing authentication and key agreement with the user device based on the authentication information.

FIG. 18 illustrates a flowchart 1800 of a method operational at a network device 1500 for providing application-specific access according to one aspect of the disclosure. First, the network device 1500 receives, from a user device 102, a registration request for application-specific access to an application service provided by an application service provider, the registration request including a device identifier identifying the user device and an application identifier identifying the application service 1802. Next, an authentication information request including the registration request and a serving network identifier identifying the wireless communication network is transmitted to the application service provider using a data connection through a packet data network 1804. Then, authentication information is received from the application service provider in response to transmitting the authentication information request, the authentication information based in part on a shared key associated with the user device 1806. Next, the network device 1500 performs authentication and key agreement with the user device 102 based on the authentication information 1808.

FIG. 19 illustrates a flowchart 1900 of a method operational at a network device for providing application-specific access according to one aspect of the disclosure. First, the network device 1500 receives, from an application service provider, an application service provider certificate that includes an application service provider public key 1902. Then, the network device 1500 receives, from a user device 102, a registration request for application-specific access to an application service provided by the application service provider, the registration request including an application-specific certificate signed by the application service provider, the application-specific certificate including a public key associated with the application service 1904. Next, the network device verifies the application-specific certificate using the application service provider public key to authenticate the user device 1906. Then, the network device performs authentication and key agreement with the user device 1908.

One or more of the components, steps, features, and/or functions illustrated in FIGS. 1, 2, 3, 4, 5, 6, 7A, 7B, 8A, 8B, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, and/or 19 may be rearranged and/or combined into a single component, step, feature or function or embodied in several components, steps, or functions. Additional elements, components, steps, and/or functions may also be added without departing from the invention. The apparatus, devices, and/or components illustrated in FIGS. 1, 3, 4, 5, 6, 10, 11, 12, 15, 16, and/or 17 may be configured to perform one or more of the methods, features, or steps described in FIGS. 2, 3, 4, 5, 6, 7A, 7B, 8A, 8B, 9, 13, 14, 18, and/or 19. The algorithms described herein may also be efficiently implemented in software and/or embedded in hardware.

Moreover, in one aspect of the disclosure, the processing circuit 1008 illustrated in FIGS. 10, 11, and/or 12 may be a specialized processor (e.g., an application specific integrated circuit (e.g., ASIC)) that is specifically designed and/or hard-wired to perform the algorithms, methods, and/or steps described in FIGS. 2, 3, 4, 5, 6, 7A, 7B, 8A, 8B, 9, 13, and/or 14. Thus, such a specialized processor (e.g., ASIC) may be one example of a means for executing the algorithms, methods, and/or steps described in FIGS. 13 and 14. The computer-readable storage medium 1004 may also store processor 1008 readable instructions that when executed by a specialized processor (e.g., ASIC) causes the specialized processor to perform the algorithms, methods, and/or steps described in FIGS. 2, 3, 4, 5, 6, 7A, 7B, 8A, 8B, 9, 13, and/or 14.

Moreover, in one aspect of the disclosure, the processing circuit 1508 illustrated in FIGS. 15, 16, and/or 17 may be a specialized processor (e.g., an application specific integrated circuit (e.g., ASIC)) that is specifically designed and/or hard-wired to perform the algorithms, methods, and/or steps described in FIGS. 2, 3, 4, 5, 6, 7A, 7B, 8A, 8B, 9, 18, and/or 19. Thus, such a specialized processor (e.g., ASIC) may be one example of a means for executing the algorithms, methods, and/or steps described in FIGS. 18 and 19. The computer-readable storage medium 1504 may also store processor 1508 readable instructions that when executed by a specialized processor (e.g., ASIC) causes the specialized processor to perform the algorithms, methods, and/or steps described in FIGS. 2, 3, 4, 5, 6, 7A, 7B, 8A, 8B, 9, 18, and/or 19.

Also, it is noted that the aspects of the present disclosure may be described as a process that is depicted as a flowchart, a flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination corresponds to a return of the function to the calling function or the main function.

Moreover, a storage medium may represent one or more devices for storing data, including read-only memory (ROM), random access memory (RAM), magnetic disk storage mediums, optical storage mediums, flash memory devices and/or other machine-readable mediums and, processor-readable mediums, and/or computer-readable mediums for storing information. The terms “machine-readable medium”, “computer-readable medium”, and/or “processor-readable medium” may include, but are not limited to non-transitory mediums such as portable or fixed storage devices, optical storage devices, and various other mediums capable of storing or containing instruction(s) and/or data. Thus, the various methods described herein may be fully or partially implemented by instructions and/or data that may be stored in a “machine-readable medium”, “computer-readable medium”, and/or “processor-readable medium” and executed by one or more processors, machines and/or devices.

Furthermore, aspects of the disclosure may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments to perform the necessary tasks may be stored in a machine-readable medium such as a storage medium or other storage(s). A processor may perform the necessary tasks. A code segment may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, etc.

The various illustrative logical blocks, modules, circuits, elements, and/or components described in connection with the examples disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic component, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing components, e.g., a combination of a DSP and a microprocessor, a number of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.

The methods or algorithms described in connection with the examples disclosed herein may be embodied directly in hardware, in a software module executable by a processor, or in a combination of both, in the form of processing unit, programming instructions, or other directions, and may be contained in a single device or distributed across multiple devices. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. A storage medium may be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor.

Those of skill in the art would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the aspects disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system.

The various features of the invention described herein can be implemented in different systems without departing from the invention. It should be noted that the foregoing aspects of the disclosure are merely examples and are not to be construed as limiting the invention. The description of the aspects of the present disclosure is intended to be illustrative, and not to limit the scope of the claims. As such, the present teachings can be readily applied to other types of apparatuses and many alternatives, modifications, and variations will be apparent to those skilled in the art. 

What is claimed is:
 1. A method operational at a user device, the method comprising: receiving, from an application service provider, an application-specific certificate associated with at least one application service provided by the application service provider; determining that a wireless communication network provides application-specific access to the application service provided by the application service provider; transmitting a registration request including the application-specific certificate to the wireless communication network for authentication of the user device, the application-specific certificate including a public key associated with the application service; performing authentication and key agreement with the wireless communication network; and communicating with the application service after authentication and key agreement is successfully performed.
 2. The method of claim 1, wherein authentication and key agreement with the wireless communication network is performed directly between the user device and the wireless communication network and independent to the application service provider.
 3. The method of claim 1, wherein the public key associated with the application service is a user device public key, and the application-specific certificate further includes an application-specific digital signature, the application-specific digital signature including the user device public key signed by a private key of the application service provider.
 4. The method of claim 1, wherein the application-specific certificate further includes an application identifier and an application-specific digital signature, the application-specific digital signature including the public key and the application identifier both signed by a private key of the application service provider, the application identifier uniquely associated with the application service.
 5. The method of claim 1, further comprising: obtaining application-specific access to the application service after authentication and key agreement is successful.
 6. The method of claim 1, wherein determining that the wireless communication network provides application-specific access includes receiving an announcement broadcast by the wireless communication network of an availability of the application service through the wireless communication network.
 7. The method of claim 1, further comprising: receiving, from the application service provider, a plurality of certificates associated with trusted wireless communication networks, the plurality of certificates including a certificate having a wireless communication network public key that is a public key of the wireless communication network.
 8. The method of claim 7, further comprising: authenticating the wireless communication network by verifying a wireless communication network digital signature using the wireless communication network public key, the wireless communication network digital signature included in an application service announcement received from the wireless communication network.
 9. The method of claim 1, further comprising: enabling communication between the user device and a set of application services allowed by the application service provider after authentication and key agreement is successfully performed.
 10. A user device comprising: a wireless communication interface adapted to wirelessly communicate with a wireless communication network; and a processing circuit communicatively coupled to the communication interface, the processing circuit adapted to: receive, from an application service provider, an application-specific certificate associated with at least one application service provided by the application service provider; determine that a wireless communication network provides application-specific access to the application service provided by the application service provider; transmit a registration request including the application-specific certificate to the wireless communication network for authentication of the user device, the application-specific certificate including a public key associated with the application service; perform authentication and key agreement with the wireless communication network; and communicate with the application service after authentication and key agreement is successfully performed.
 11. The user device of claim 10, wherein authentication and key agreement with the wireless communication network is performed directly between the user device and the wireless communication network and independent to the application service provider.
 12. The user device of claim 10, wherein the public key associated with the application service is a user device public key, and the application-specific certificate further includes an application-specific digital signature, the application-specific digital signature including the user device public key signed by a private key of the application service provider.
 13. The user device of claim 10, wherein the application-specific certificate further includes an application identifier and an application-specific digital signature, the application-specific digital signature including the public key and the application identifier both signed by a private key of the application service provider, the application identifier uniquely associated with the application service.
 14. The user device of claim 10, wherein the processing circuit is further adapted to: obtain application-specific access to the application service after authentication and key agreement is successful.
 15. The user device of claim 10, wherein the processing circuit adapted to determine that the wireless communication network provides application-specific access includes the processing circuit further adapted to: receive an announcement broadcast by the wireless communication network of an availability of the application service through the wireless communication network.
 16. The user device of claim 10, wherein the processing circuit is further adapted to: receive, from the application service provider, a plurality of certificates associated with trusted wireless communication networks, the plurality of certificates including a certificate having a wireless communication network public key that is a public key of the wireless communication network.
 17. The user device of claim 16, wherein the processing circuit is further adapted to: authenticate the wireless communication network by verifying a wireless communication network digital signature using the wireless communication network public key, the wireless communication network digital signature included in an application service announcement received from the wireless communication network.
 18. The user device of claim 10, wherein the processing circuit is further adapted to: enable communication between the user device and a set of application services allowed by the application service provider after authentication and key agreement is successfully performed.
 19. A user device comprising: means for receiving, from an application service provider, an application-specific certificate associated with at least one application service provided by the application service provider; means for determining that a wireless communication network provides application-specific access to the application service provided by the application service provider; means for transmitting a registration request including the application-specific certificate to the wireless communication network for authentication of the user device, the application-specific certificate including a public key associated with the application service; means for performing authentication and key agreement with the wireless communication network; and means for communicating with the application service after authentication and key agreement is successfully performed.
 20. The user device of claim 19, wherein authentication and key agreement with the wireless communication network is performed directly between the user device and the wireless communication network and independent to the application service provider.
 21. The user device of claim 19, wherein the public key associated with the application service is a user device public key, and the application-specific certificate further includes an application-specific digital signature, the application-specific digital signature including the user device public key signed by a private key of the application service provider.
 22. The user device of claim 19, further comprising: means for obtaining application-specific access to the application service after authentication and key agreement is successful.
 23. The user device of claim 19, further comprising: means for receiving, from the application service provider, a plurality of certificates associated with trusted wireless communication networks, the plurality of certificates including a certificate having a wireless communication network public key that is a public key of the wireless communication network; and means for authenticating the wireless communication network by verifying a wireless communication network digital signature using the wireless communication network public key, the wireless communication network digital signature included in an application service announcement received from the wireless communication network.
 24. A method operational at a wireless communication network device associated with a wireless communication network, the method comprising: receiving, from an application service provider, an application service provider certificate that includes an application service provider public key; receiving, from a user device, a registration request for application-specific access to an application service provided by the application service provider, the registration request including an application-specific certificate signed by the application service provider, the application-specific certificate including a public key associated with the application service; verifying the application-specific certificate using the application service provider public key to authenticate the user device; and performing authentication and key agreement with the user device.
 25. The method of claim 24, wherein authentication and key agreement with the user device is performed directly between the user device and the wireless communication network device and independent to the application service provider.
 26. The method of claim 24, further comprising: receiving application service registration information associated with the application service before receiving the registration request from the user device.
 27. The method of claim 26, wherein the application service registration information is received from the application service provider via a service provisioning function.
 28. The method of claim 26, wherein the application service registration information includes at least one of an application identifier and/or an application service class indicating a quality of service the wireless communication network provides for communications between the user device and the application service.
 29. The method of claim 24, further comprising: broadcasting an announcement that indicates availability of application-specific access to the application service through the wireless communication network.
 30. The method of claim 29, wherein the application service announcement includes a wireless communication network digital signature signed by a private key of the wireless communication network, the digital signature adapted for verification at the user device with a wireless communication network public key.
 31. The method of claim 24, wherein the public key associated with the application service is a user device public key, and the application-specific certificate further includes an application-specific digital signature, the application-specific digital signature including the user device public key signed by a private key of the application service provider.
 32. The method of claim 24, wherein the application-specific certificate further includes an application identifier and an application-specific digital signature, the application-specific digital signature including the public key and the application identifier both signed by a private key of the application service provider, the application identifier uniquely associated with the application service.
 33. The method of claim 24, further comprising: providing application-specific access to the user device for the application service after authentication and key agreement is successful.
 34. The method of claim 24, further comprising: storing an application-specific certificate revocation list including a plurality of application-specific certificates provisioned to user devices that have been revoked and to which application-specific access should not be granted.
 35. A wireless communication network device associated with a wireless communication network, the wireless communication network device comprising: a wireless communication interface adapted to wirelessly communicate with at least a user device; and a processing circuit communicatively coupled to the wireless communication interface, the processing circuit adapted to: receive, from an application service provider, an application service provider certificate that includes an application service provider public key; receive, from the user device, a registration request for application-specific access to an application service provided by the application service provider, the registration request including an application-specific certificate signed by the application service provider, the application-specific certificate including a public key associated with the application service; verify the application-specific certificate using the application service provider public key to authenticate the user device; and perform authentication and key agreement with the user device.
 36. The wireless communication network device of claim 35, wherein authentication and key agreement with the user device is performed directly between the user device and the wireless communication network device and independent to the application service provider.
 37. The wireless communication network device of claim 35, wherein the processing circuit is further adapted to: receive application service registration information associated with the application service before receiving the registration request from the user device.
 38. The wireless communication network device of claim 37, wherein the application service registration information is received from the application service provider via a service provisioning function.
 39. The wireless communication network device of claim 37, wherein the application service registration information includes at least one of an application identifier and/or an application service class indicating a quality of service the wireless communication network provides for communications between the user device and the application service.
 40. The wireless communication network device of claim 35, wherein the processing circuit is further adapted to: broadcast an announcement that indicates availability of application-specific access to the application service through the wireless communication network.
 41. The wireless communication network device of claim 40, wherein the application service announcement includes a wireless communication network digital signature signed by a private key of the wireless communication network, the digital signature adapted for verification at the user device with a wireless communication network public key.
 42. The wireless communication network device of claim 35, wherein the public key associated with the application service is a user device public key, and the application-specific certificate further includes an application-specific digital signature, the application-specific digital signature including the user device public key signed by a private key of the application service provider.
 43. The wireless communication network device of claim 35, wherein the application-specific certificate further includes an application identifier and an application-specific digital signature, the application-specific digital signature including the public key and the application identifier both signed by a private key of the application service provider, the application identifier uniquely associated with the application service.
 44. The wireless communication network device of claim 35, wherein the processing circuit is further adapted to: provide application-specific access to the user device for the application service after authentication and key agreement is successful.
 45. The wireless communication network device of claim 35, wherein the processing circuit is further adapted to: store an application-specific certificate revocation list including a plurality of application-specific certificates provisioned to user devices that have been revoked and to which application-specific access should not be granted.
 46. A wireless communication network device comprising: means for receiving, from an application service provider, an application service provider certificate that includes an application service provider public key; means for receiving, from a user device, a registration request for application-specific access to an application service provided by the application service provider, the registration request including an application-specific certificate signed by the application service provider, the application-specific certificate including a public key associated with the application service; means for verifying the application-specific certificate using the application service provider public key to authenticate the user device; and means for performing authentication and key agreement with the user device.
 47. The wireless communication network device of claim 46, wherein authentication and key agreement with the user device is performed directly between the user device and the wireless communication network and independent to the application service provider.
 48. The wireless communication network device of claim 46, further comprising: means for receiving application service registration information associated with the application service before receiving the registration request from the user device.
 49. The wireless communication network device of claim 46, wherein the public key associated with the application service is a user device public key, and the application-specific certificate further includes an application-specific digital signature, the application-specific digital signature including the user device public key signed by a private key of the application service provider.
 50. The wireless communication network device of claim 46, further comprising: means for providing application-specific access to the user device for the application service after authentication and key agreement is successful. 